Developing a Custom Authorization Module

In the Hadoop ecosystem, each component (i.e., Hive, HBase) has its own authorization
implementation and ability to plug in a custom authorization module. To implement the
centralized authorization and audit feature for a component, the component should support a
customizable (or pluggable) authorization module.

The custom component Authorization Plugin should do the following:

Provide authorization based on Policies defined in Policy Admin Tool

Provide audit information based on the authorization decisions

Implementing Custom Component Authorization

To implement the custom component authorization plugin, the Ranger common agent
framework provides the following functionalities:

Ability to read all policies from Service Manager for a given service-id

Ability to log audit information

When the custom authorization module is initialized, the module should do the
following:

Initiate a REST API call to the “Policy Admin Tool” to retrieve all policies associated
with the specific component.

Once the policies are available, it should:

be built into a custom data structure for enabling the authorization
module.

kick off the policy updater thread to refresh policies from “Policy Admin
Tool” at a regular interval.

When the custom authorization module is called to perform authorization of a component
action (such as READ action) on a specific component resource (such as /app folder), the
authorization module will:

Identify authorization decision - For each policy:policyList:

If (resource in policy <match> auth-requested-resource)

If (action-in-policy <match>action-requested

If (current-user or current-user-groups or public-group <allowed> for
the policy), Return access-allowed